CLOUD act
Well, it has a super-duper-special acronym so we can all trust it, can't we.
Seriously, they seem to spend more time on making up names of acts which they can use to bamboozle people than the actual content of the acts.
The Data Access Agreement (DAA), by which the US and UK have agreed how one country can respond to lawful data demands from police and investigators in the other, took effect on Monday. The DAA (aka the Access to Electronic Data for the Purpose of Countering Serious Crime) is intended to facilitate cross-border law enforcement …
"Well, it has a super-duper-special acronym so we can all trust it, can't we."
If the new agreement is anything like the the UK RIPA Act, we can probably expect so many loopholes in it that the FBI will be investigating dogs fouling the UK streets and people putting the wrong kind of rubbish in their bins.
That was no loophole.
The act as originally enacted gave local authorities that power, very clearly. Local authorities do no investigate serious crimes, so what did parliament intend them to use it for?
These powers were originally handed out very freely - to local authorities, the NHS, the ministry of agriculture.....
https://www.legislation.gov.uk/ukpga/2000/23/schedule/1/enacted
The list has been considerably trimmed down since:
https://www.legislation.gov.uk/ukpga/2000/23/schedule/1
Still far too long a list IMO.
Very funny they that. Actually, if you read the CLOUD Act is not that way. It's true that UK (or any other country bending to the Act) gets access to data stored in US about its own citizens, but US gets access to data about your own citizen as well when stored outside US, while you don't get the same level of access to data of US citizens wherever they are stored.
The CLOUD Act is far from being symmetric like a true MLAT - and it's not surprising since it is a US law written and voted by the US Congress without any other country having any voice.
As far as I can see from the analysis linked to the difference applies to citizens and residents outside each country.
The other big difference is that the ECHR provides less protection than the US constitution with regard to privacy.
Given that so much of the data is either in the US or controlled by American companies they negotiated from a position of strength - the US has a unique position of power with regard to the almost anything IT, from hardware to services, particularly when it comes to security and privacy.
The greater problem that the West, and especially NATO and its allies and supporters are not highlighting and drawing your attention to, and which it/they now have to do battle with, or try to make a deal with ITs international intellectual property providers of, is not the supply of information/data/intelligence/metadata which it wants and doesn't have and may wish to suppress and render physically and/or virtually unobtainable, it is prevention of the same being made suddenly unexpectedly public and freely available globally .... for once some of those genies which are manic and chaotic are out of the bottle there is no putting them back and pretending they aren't out there and able to simply cause random and targeted havoc and catastrophic disruption and colossal destruction.
This deal would appear to allow the UK authorities to request information about non-UK citizens (as long as they are not US citizens) if that information is stored in the US, and allow the US to request information about non-UK citizens that is stored in the UK. Anybody providing that information will have to deal with the consequences of being forced to be in breach of GDPR. This could get entertaining...
GDPR isnt applicable here as data for law enforcement purposes is specifically outside of GDPR's remit.
It falls under the Law Enforcement directive. Same principles in essence but different piece of legislation.
That is why we have the DPA 2018 as it effectively implements both GDPR and the LED.